Lame: HTB
I am going to preface this with the fact that I rooted it using metasploit…but that takes no skill and I am studying for OSCP and need to manually do it so I went back and it again the right way.
(There is no right way though, if you break into a box you broke in. Be proud.)
(cont’d)
Remember to do your due diligence and check everything listed. You may be surprised (for a quick win vsftpd 2.3.4 can be exploited via metasploit)
FTP:
Unfortunately, nothing was gained from FTP.
distccd:
this exploit worked but I used the commented code that fixed the python3 issue to get it to work.
https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855
So we got in as daemon.
Make sure to do information gathering about everything. There was a kernel level exploit that could have gotten you to root but I did not do that one. (I plan on doing this again with that exploit to play around with it.)
We were able to navigate to the one user that we see and find their user flag. Sick.
Unfortunately, from here I had to back out and do something completely different because I could not figure out a better priv esc from where we were at the time.
With smbclient and smbmap we are able to check possible shares and permissions on those shares we have access to.
CVE-2007-2447
our finding leads us to the exploit listed above.
This part of the exploit is what we are using.
With that we get root.
As always. Stay curious my friends.